From 45dbbef0428cf4768d2a1677d3c979722e33139a Mon Sep 17 00:00:00 2001
From: "J. Miguel Farto" <migeruhito@gmail.com>
Date: Sun, 21 Dec 2014 00:51:42 +0100
Subject: [PATCH 1/7] Jinja2 initialization changed and autoescape activated

---
 sagenb/flask_version/base.py | 26 ++++++++++++++++++--------
 sagenb/notebook/template.py  | 16 ++++------------
 2 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/sagenb/flask_version/base.py b/sagenb/flask_version/base.py
index a79b2b667..bf85e4ad0 100755
--- a/sagenb/flask_version/base.py
+++ b/sagenb/flask_version/base.py
@@ -15,8 +15,11 @@
 SRC = os.path.join(SAGE_SRC, 'sage')
 from flask.ext.openid import OpenID
 from flask.ext.babel import Babel, gettext, ngettext, lazy_gettext, get_locale
-from sagenb.misc.misc import SAGENB_ROOT, DATA, SAGE_DOC, translations_path, N_, nN_
-
+from sagenb.misc.misc import SAGENB_ROOT, DATA, SAGE_DOC, translations_path, N_, nN_, unicode_str
+from json import dumps
+from sagenb.notebook.cell import number_of_rows
+from sagenb.notebook.template import (css_escape, clean_name,
+                                      prettify_time_ago, TEMPLATE_PATH)
 oid = OpenID()
 
 class SageNBFlask(Flask):
@@ -55,10 +58,17 @@ def __init__(self, *args, **kwds):
         self.add_static_path('/doc/static', DOC)
         #self.add_static_path('/doc/static/reference', os.path.join(SAGE_DOC, 'reference'))
 
-    def create_jinja_environment(self):
-        from sagenb.notebook.template import env
-        env.globals.update(url_for=url_for)
-        return env
+        # Template globals
+        self.add_template_global(url_for)
+        # Template filters
+        self.add_template_filter(css_escape)
+        self.add_template_filter(number_of_rows)
+        self.add_template_filter(clean_name)
+        self.add_template_filter(prettify_time_ago)
+        self.add_template_filter(max)
+        self.add_template_filter(lambda x: repr(unicode_str(x))[1:],
+                                 name='repr_str')
+        self.add_template_filter(dumps, 'tojson')
 
     def static_view_func(self, root_path, filename):
         from flask.helpers import send_from_directory
@@ -334,7 +344,6 @@ def set_profiles():
             return render_template('html/accounts/openid_profile.html', **parse_dict)
         return redirect(url_for('base.index'))
 
-
 #############
 # OLD STUFF #
 #############
@@ -410,7 +419,8 @@ def create_app(path_to_notebook, *args, **kwds):
     ##############
     # Create app #
     ##############
-    app = SageNBFlask('flask_version', startup_token=startup_token)
+    app = SageNBFlask('flask_version', startup_token=startup_token,
+                      template_folder=TEMPLATE_PATH)
     app.secret_key = os.urandom(24)
     oid.init_app(app)
     app.debug = True
diff --git a/sagenb/notebook/template.py b/sagenb/notebook/template.py
index f0f48e71d..9e59b5284 100644
--- a/sagenb/notebook/template.py
+++ b/sagenb/notebook/template.py
@@ -17,11 +17,11 @@
 
 import jinja2
 
-import os, re, sys, json
+import os, re, sys
 
-from sagenb.misc.misc import SAGE_VERSION, DATA, unicode_str
-from sagenb.notebook.cell import number_of_rows
+from sagenb.misc.misc import SAGE_VERSION, DATA
 from flask.ext.babel import gettext, ngettext, lazy_gettext
+from flask import current_app as app
 
 if os.environ.has_key('SAGENB_TEMPLATE_PATH'):
     if not os.path.isdir(os.environ['SAGENB_TEMPLATE_PATH']):
@@ -30,7 +30,6 @@
     TEMPLATE_PATH = os.environ['SAGENB_TEMPLATE_PATH']
 else:
     TEMPLATE_PATH = os.path.join(DATA, 'sage')
-env = jinja2.Environment(loader=jinja2.FileSystemLoader(TEMPLATE_PATH))
 
 css_illegal_re = re.compile(r'[^-A-Za-z_0-9]')
 
@@ -96,13 +95,6 @@ def clean_name(name):
     """
     return ''.join([x if x.isalnum() else '_' for x in name])
 
-env.filters['css_escape'] = css_escape
-env.filters['number_of_rows'] = number_of_rows
-env.filters['clean_name'] = clean_name
-env.filters['prettify_time_ago'] = prettify_time_ago
-env.filters['max'] = max
-env.filters['repr_str'] = lambda x: repr(unicode_str(x))[1:]
-env.filters['tojson'] = json.dumps
 
 def template(filename, **user_context):
     """
@@ -143,7 +135,7 @@ def template(filename, **user_context):
                        'JEDITABLE_TINYMCE': JEDITABLE_TINYMCE,
                        'conf': notebook.conf() if notebook else None}
     try:
-        tmpl = env.get_template(filename)
+        tmpl = app.jinja_env.get_template(filename)
     except jinja2.exceptions.TemplateNotFound:
         return "Notebook Bug -- missing template %s"%filename
 

From 5c6c4b99cd0bb423a1f6f41c9c323452715a0d00 Mon Sep 17 00:00:00 2001
From: "J. Miguel Farto" <migeruhito@gmail.com>
Date: Sun, 21 Dec 2014 02:22:12 +0100
Subject: [PATCH 2/7] 'safe' added and 'escape' removed from templates

---
 sagenb/data/sage/html/error_message.html             |  2 +-
 sagenb/data/sage/html/history.html                   |  2 +-
 .../data/sage/html/notebook/afterpublish_window.html |  2 +-
 sagenb/data/sage/html/notebook/base.html             |  4 ++--
 sagenb/data/sage/html/notebook/cell.html             | 12 ++++++------
 .../html/notebook/download_or_delete_datafile.html   |  2 +-
 sagenb/data/sage/html/notebook/edit_window.html      |  2 +-
 .../sage/html/notebook/guest_worksheet_page.html     |  4 ++--
 .../data/sage/html/notebook/plain_text_window.html   |  2 +-
 sagenb/data/sage/html/notebook/print_worksheet.html  |  2 +-
 .../data/sage/html/notebook/specific_revision.html   |  2 +-
 sagenb/data/sage/html/notebook/text_cell.html        |  4 ++--
 sagenb/data/sage/html/notebook/worksheet.html        |  2 +-
 sagenb/data/sage/html/notebook/worksheet_page.html   |  2 +-
 .../data/sage/html/settings/notebook_settings.html   |  2 +-
 sagenb/data/sage/html/worksheet_listing.html         |  8 ++++----
 16 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/sagenb/data/sage/html/error_message.html b/sagenb/data/sage/html/error_message.html
index 5141bd9c8..f198a05e7 100644
--- a/sagenb/data/sage/html/error_message.html
+++ b/sagenb/data/sage/html/error_message.html
@@ -12,7 +12,7 @@
 
 {% block main %}
 <div>
-    {{ msg }}
+    {{ msg | safe }}
 </div>
 {% if cont %}
 <div style="padding: 1.0em; text-align: center;">
diff --git a/sagenb/data/sage/html/history.html b/sagenb/data/sage/html/history.html
index d6b829678..b96cb48f2 100644
--- a/sagenb/data/sage/html/history.html
+++ b/sagenb/data/sage/html/history.html
@@ -9,7 +9,7 @@
 {% block page_id %}history-page{% endblock %}
 
 {% block body %}
-    <pre>{{ text | escape }}</pre>
+    <pre>{{ text }}</pre>
     <a title="{{ gettext('Click here to turn the above into a Sage worksheet') }}" href="/live_history">{{ gettext('Create a new Sage worksheet version of the last 100 commands in the above log.') }}</a>
     <a name="bottom"></a>
     <script type="text/javascript">
diff --git a/sagenb/data/sage/html/notebook/afterpublish_window.html b/sagenb/data/sage/html/notebook/afterpublish_window.html
index 4f95c19c2..d0a3f32b3 100644
--- a/sagenb/data/sage/html/notebook/afterpublish_window.html
+++ b/sagenb/data/sage/html/notebook/afterpublish_window.html
@@ -5,7 +5,7 @@
 {% set checked = 'checked="true"' if worksheet.is_auto_publish() else '' %}
 
 {% block sharebar_title %}
-<p>{{ gettext('Worksheet is publicly viewable at <a href="%(u)s" style="color:#FFF" target="_blank">%(u)s', u=url) }}</a></p>
+<p>{{ gettext('Worksheet is publicly viewable at <a href="%(u)s" style="color:#FFF" target="_blank">%(u)s', u=url) | safe }}</a></p>
 <p>{{ gettext('Published on %(t)s', t=time) }}</p>
 <div>
     <a href="publish?re"><button>{{ gettext('Re-publish worksheet') }}</button></a>
diff --git a/sagenb/data/sage/html/notebook/base.html b/sagenb/data/sage/html/notebook/base.html
index 5e4f693f9..720e5a60b 100644
--- a/sagenb/data/sage/html/notebook/base.html
+++ b/sagenb/data/sage/html/notebook/base.html
@@ -61,7 +61,7 @@
 {% if worksheet.filename() %}
 <script  type="text/javascript">
     worksheet_filename = "{{ worksheet.filename() }}";
-    worksheet_name = {{ worksheet.name()|repr_str }};
+    worksheet_name = {{ worksheet.name() | repr_str | safe }};
     {% if not worksheet.is_published() or worksheet.notebook().conf()['pub_interact'] %}
         server_ping_while_alive();
     {% endif %}
@@ -82,7 +82,7 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
            title="{{ gettext('Click to rename this worksheet') }}">
             {{ worksheet.name() }}
         </a>
-        <div><span class="lastedit">{{ gettext('last edited') }} {{ worksheet.html_time_last_edited(username) }}</span></div>
+        <div><span class="lastedit">{{ gettext('last edited') }} {{ worksheet.html_time_last_edited(username) | safe }}</span></div>
         {% if worksheet.warn_about_other_person_editing(username) and username != 'guest' and not worksheet.docbrowser() and not worksheet.is_published() %}
         <span class="pingdown">({{ gettext('Someone else is viewing this worksheet') }})</span>
         {% endif %}
diff --git a/sagenb/data/sage/html/notebook/cell.html b/sagenb/data/sage/html/notebook/cell.html
index e933d8ccd..1e8bc63b8 100644
--- a/sagenb/data/sage/html/notebook/cell.html
+++ b/sagenb/data/sage/html/notebook/cell.html
@@ -79,7 +79,7 @@
                     </a>
                 {% endif %}
             {% elif do_print or publish %}
-                <div class="cell_input_print">{{ cell.input_text().rstrip()|escape }}&nbsp;</div>
+                <div class="cell_input_print">{{ cell.input_text().rstrip() }}&nbsp;</div>
             {% else %}
                 <textarea class="{{ input_cls }}" rows="{{ (1, cell.input_text().strip()|number_of_rows(80))|max }}"
                           cols="80" spellcheck="false"
@@ -104,7 +104,7 @@
             <table class="cell_output_box">
                 <tr>
                     <td class="cell_number" id="cell_number_{{ cell.id() }}"
-                        {{ '' if do_print else 'onClick="cycle_cell_output_type(%r);"'|format(cell.id()) }} >
+                        {{ '' if do_print else 'onClick="cycle_cell_output_type(%r);"'|format(cell.id())| safe }} >
                         {% for i in range(7) %}&nbsp;{% endfor %}
                     </td>
                     <td class="output_cell">
@@ -112,20 +112,20 @@
                             <div class="cell_output_{{ "print_" if do_print else '' }}{{ cell.cell_output_type() }}"
                                 id="cell_output_{{ cell.id() }}">
                                 {% if cell.introspect() %}
-                                    {{ cell.output_text(0, html=true) }}
+                                    {{ cell.output_text(0, html=true) | safe }}
                                 {% else %}
-                                    {{ cell.output_text(wrap_, html=true) }}
+                                    {{ cell.output_text(wrap_, html=true) | safe }}
                                 {% endif %}
                             </div>
                             {% if not do_print %}
                                 <div class="cell_output_{{ 'print_' if do_print else '' }}nowrap_{{ cell.cell_output_type() }}"
                                      id="cell_output_nowrap_{{ cell.id() }}">
-                                    {{ cell.output_text(0, html=true) }}
+                                    {{ cell.output_text(0, html=true) | safe }}
                                 </div>
                             {% endif %}
                                 <div class="cell_output_html_{{ cell.cell_output_type() }}"
                                      id="cell_output_html_{{ cell.id() }}">
-                                    {{ cell.output_html() }}
+                                    {{ cell.output_html() | safe }}
                                 </div>
                         </div>
                     </td>
diff --git a/sagenb/data/sage/html/notebook/download_or_delete_datafile.html b/sagenb/data/sage/html/notebook/download_or_delete_datafile.html
index f401398f2..1f580fdf4 100644
--- a/sagenb/data/sage/html/notebook/download_or_delete_datafile.html
+++ b/sagenb/data/sage/html/notebook/download_or_delete_datafile.html
@@ -53,7 +53,7 @@
 <form method="post" action="savedatafile" enctype="multipart/form-data">
     <input type="submit" value="{{ gettext('Save Changes') }}" name="button_save" /> <input type="submit" value="{{ gettext('Cancel') }}" name="button_cancel" style="display:block" />
     <div style="border: 1px solid black; padding: 0px;">
-        <textarea class="edit" name="textfield" rows=20 cols=100 id="textfield" style="overflow: auto;">{{ text_file_content | escape }}</textarea>
+        <textarea class="edit" name="textfield" rows=20 cols=100 id="textfield" style="overflow: auto;">{{ text_file_content }}</textarea>
     </div>
     <script type="text/javascript">
     $(document).ready(function () {
diff --git a/sagenb/data/sage/html/notebook/edit_window.html b/sagenb/data/sage/html/notebook/edit_window.html
index 65ddd1a89..3c4a31597 100644
--- a/sagenb/data/sage/html/notebook/edit_window.html
+++ b/sagenb/data/sage/html/notebook/edit_window.html
@@ -20,6 +20,6 @@
     function save_worksheet_and_close() {
     }
 </script>
-    <textarea class="plaintextedit" id="cell_intext" name="textfield" rows="{{ worksheet.edit_text().count("\n")+1 }}">{{ worksheet.edit_text()|escape }}</textarea>
+    <textarea class="plaintextedit" id="cell_intext" name="textfield" rows="{{ worksheet.edit_text().count("\n")+1 }}">{{ worksheet.edit_text() }}</textarea>
 </form>
 {% endblock %}
diff --git a/sagenb/data/sage/html/notebook/guest_worksheet_page.html b/sagenb/data/sage/html/notebook/guest_worksheet_page.html
index 0994045a1..7e02b169e 100644
--- a/sagenb/data/sage/html/notebook/guest_worksheet_page.html
+++ b/sagenb/data/sage/html/notebook/guest_worksheet_page.html
@@ -60,8 +60,8 @@
 </ul>
 <hr class="usercontrol" />
 <h1 class="title">{{ worksheet.name() }}</h1>
-<h2 class="lastedit">{{ worksheet.html_time_since_last_edited() }}</h2>
-{{ worksheet.html(do_print=false, publish=true, username=username) }}
+<h2 class="lastedit">{{ worksheet.html_time_since_last_edited() | safe }}</h2>
+{{ worksheet.html(do_print=false, publish=true, username=username) | safe }}
 <script>
 {%- if conf['pub_interact'] %}
     cell_id_list = {{ worksheet.cell_id_list() }};
diff --git a/sagenb/data/sage/html/notebook/plain_text_window.html b/sagenb/data/sage/html/notebook/plain_text_window.html
index ffe6ec06c..06cb67858 100644
--- a/sagenb/data/sage/html/notebook/plain_text_window.html
+++ b/sagenb/data/sage/html/notebook/plain_text_window.html
@@ -7,5 +7,5 @@
 {% set select = "text" %}
 
 {% block after_sharebar %}
-<pre class="plaintext" id="cell_intext" name="textfield">{{ worksheet.plain_text(prompts=true, banner=false)|escape|trim }}</pre>
+<pre class="plaintext" id="cell_intext" name="textfield">{{ worksheet.plain_text(prompts=true, banner=false)|trim }}</pre>
 {% endblock %}
diff --git a/sagenb/data/sage/html/notebook/print_worksheet.html b/sagenb/data/sage/html/notebook/print_worksheet.html
index 67014e80e..f27f561d0 100644
--- a/sagenb/data/sage/html/notebook/print_worksheet.html
+++ b/sagenb/data/sage/html/notebook/print_worksheet.html
@@ -4,7 +4,7 @@
 
 {% block body %}
 <h1>{{ worksheet.name() }}</h1>
-{{ worksheet.html(do_print=true) }}
+{{ worksheet.html(do_print=true) | safe }}
 <!--    <script>
         MathJax.Hub.Queue(["Typeset",MathJax.Hub]);
     </script>-->
diff --git a/sagenb/data/sage/html/notebook/specific_revision.html b/sagenb/data/sage/html/notebook/specific_revision.html
index 29ce20daf..2e2625294 100644
--- a/sagenb/data/sage/html/notebook/specific_revision.html
+++ b/sagenb/data/sage/html/notebook/specific_revision.html
@@ -27,7 +27,7 @@
 {% block after_sharebar %}
 {{ actions() }}
 <div id="revision-data">
-    {{ worksheet.html(do_print=true, publish=true, username=username) }}
+    {{ worksheet.html(do_print=true, publish=true, username=username) | safe }}
 </div>
 {{ actions() }}
 <!--<script type="text/javascript">
diff --git a/sagenb/data/sage/html/notebook/text_cell.html b/sagenb/data/sage/html/notebook/text_cell.html
index 0d4e8d215..d668f9bef 100644
--- a/sagenb/data/sage/html/notebook/text_cell.html
+++ b/sagenb/data/sage/html/notebook/text_cell.html
@@ -39,7 +39,7 @@
             </script>
     {% endif %}
     <div class="text_cell" id="cell_text_{{ cell.id() }}">
-      {{ cell.plain_text() }}
+      {{ cell.plain_text() | safe }}
     </div>
 {% if JEDITABLE_TINYMCE and not cell.worksheet().is_published() and not cell.worksheet().docbrowser() and not do_print and not publish %}
     <script type="text/javascript">
@@ -57,7 +57,7 @@
             cancel : "{{ gettext('Cancel changes') }}",
             event  : "dblclick",
             style  : "inherit",
-	    data   : {{ cell.plain_text()|repr_str }}
+	    data   : {{ cell.plain_text()|repr_str| safe }}
         });
     </script>
 {% endif %}
diff --git a/sagenb/data/sage/html/notebook/worksheet.html b/sagenb/data/sage/html/notebook/worksheet.html
index 24297d726..2c391ea02 100644
--- a/sagenb/data/sage/html/notebook/worksheet.html
+++ b/sagenb/data/sage/html/notebook/worksheet.html
@@ -13,6 +13,6 @@
 <div class="cell_input_active" id="cell_resizer"></div>
 <div class="worksheet_cell_list" id="worksheet_cell_list">
   {% for cell in worksheet.cell_list() %}
-    {{ cell.html(wrap = wrap, div_wrap = true, do_print = do_print, publish = publish) }}
+    {{ cell.html(wrap = wrap, div_wrap = true, do_print = do_print, publish = publish) | safe }}
   {% endfor %}
 </div>
diff --git a/sagenb/data/sage/html/notebook/worksheet_page.html b/sagenb/data/sage/html/notebook/worksheet_page.html
index 5c515102d..3cbce96d9 100644
--- a/sagenb/data/sage/html/notebook/worksheet_page.html
+++ b/sagenb/data/sage/html/notebook/worksheet_page.html
@@ -14,7 +14,7 @@
 {% block worksheet_main %}
 {% set toggle=true %}
 <div class="worksheet" id="worksheet">
-    {{ worksheet.html(username=username) }}
+    {{ worksheet.html(username=username) | safe }}
     <div class="insert_new_cell" id="insert_last_cell">
         <div class="ui-icon ui-icon-circle-plus wksht-icon_button" 
             id="insert_new_last_compute_cell" 
diff --git a/sagenb/data/sage/html/settings/notebook_settings.html b/sagenb/data/sage/html/settings/notebook_settings.html
index 77ea7fbbf..36c0f4a70 100644
--- a/sagenb/data/sage/html/settings/notebook_settings.html
+++ b/sagenb/data/sage/html/settings/notebook_settings.html
@@ -20,7 +20,7 @@
       <a href="/"><button>{{ gettext('Cancel') }}</button></a>
   </div>
   {%- if auto_table %}
-  {{ auto_table }}
+  {{ auto_table | safe }}
   {%- endif %}
   <div class="buttons">
       <button type="submit">{{ gettext('Save') }}</button>
diff --git a/sagenb/data/sage/html/worksheet_listing.html b/sagenb/data/sage/html/worksheet_listing.html
index 12e261c14..0a660631b 100644
--- a/sagenb/data/sage/html/worksheet_listing.html
+++ b/sagenb/data/sage/html/worksheet_listing.html
@@ -30,7 +30,7 @@
 <script type="text/javascript" src="/javascript/jquery/plugins/form/jquery.form.min.js"></script>
 <script type="text/javascript" src="/javascript/jquery/plugins/jquery.bgiframe.min.js"></script>
 <script type="text/javascript">
-    var worksheet_filenames = {{ worksheet_filenames|tojson|safe }}; 
+    var worksheet_filenames = {{ worksheet_filenames|tojson| safe }}; 
 </script>
 <script type="text/javascript" src="/javascript/sage/js/notebook_lib.js"></script>
 <script type="text/javascript" src="/javascript/dynamic/notebook_dynamic.js"></script>
@@ -174,9 +174,9 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
             </td>
 
             <td class="worksheet_link">
-                <a title="{{ worksheet.name() | escape }}" id="name-{{ name|css_escape }}" class="worksheetname" href="/home/{{ name }}/">
+                <a title="{{ worksheet.name() }}" id="name-{{ name|css_escape }}" class="worksheetname" href="/home/{{ name }}/">
                     {% if worksheet.compute_process_has_been_started() %}({{ gettext('running') }}){% endif %}
-                    {{ worksheet.truncated_name(50) | escape}}
+                    {{ worksheet.truncated_name(50) }}
                 </a>
                 
                 {% if not pub and worksheet.is_published() %}(Published){% endif %}
@@ -222,7 +222,7 @@ <h1>{{ gettext('Account is read only.  You may download or delete worksheets or
                 {% endif %}
             </td>
             <td>
-                {{ worksheet.html_time_nice_edited(username) }}
+                {{ worksheet.html_time_nice_edited(username) | safe }}
             </td>
         </tr>
         {% endfor %}

From 08166f8de49819be768db9c8ee6d9a16a312bae0 Mon Sep 17 00:00:00 2001
From: "J. Miguel Farto" <migeruhito@gmail.com>
Date: Sun, 21 Dec 2014 14:00:48 +0100
Subject: [PATCH 3/7] quotes left to jinja automatic autoescape

---
 sagenb/data/sage/html/notebook/cell.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sagenb/data/sage/html/notebook/cell.html b/sagenb/data/sage/html/notebook/cell.html
index 1e8bc63b8..f9df4d089 100644
--- a/sagenb/data/sage/html/notebook/cell.html
+++ b/sagenb/data/sage/html/notebook/cell.html
@@ -104,7 +104,7 @@
             <table class="cell_output_box">
                 <tr>
                     <td class="cell_number" id="cell_number_{{ cell.id() }}"
-                        {{ '' if do_print else 'onClick="cycle_cell_output_type(%r);"'|format(cell.id())| safe }} >
+                        {{ '' if do_print else 'onClick=cycle_cell_output_type(%r);'|format(cell.id()) }} >
                         {% for i in range(7) %}&nbsp;{% endfor %}
                     </td>
                     <td class="output_cell">

From f00d4426c11725f49c4a095bbf53f454912b1987 Mon Sep 17 00:00:00 2001
From: "J. Miguel Farto" <migeruhito@gmail.com>
Date: Thu, 29 Jan 2015 12:06:43 +0100
Subject: [PATCH 4/7] #323 reverted

---
 sagenb/flask_version/worksheet.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sagenb/flask_version/worksheet.py b/sagenb/flask_version/worksheet.py
index 7cb4b6bb5..837388b03 100644
--- a/sagenb/flask_version/worksheet.py
+++ b/sagenb/flask_version/worksheet.py
@@ -1,7 +1,7 @@
 import re
 import os, threading, collections
 from functools import wraps
-from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app, escape
+from flask import Module, make_response, url_for, render_template, request, session, redirect, g, current_app
 from decorators import login_required, with_lock
 from collections import defaultdict
 from werkzeug.utils import secure_filename
@@ -920,7 +920,7 @@ def worksheet_rate(worksheet):
         return current_app.message(_("Gees -- You can't fool the rating system that easily!"),
                           url_for_worksheet(worksheet))
 
-    comment = str(escape(request.values['comment']))
+    comment = request.values['comment']
     worksheet.rate(rating, comment, g.username)
     s = _("""
     Thank you for rating the worksheet <b><i>%(worksheet_name)s</i></b>!

From 7a3581458f8339cf7f54da5c04133d6f969a2125 Mon Sep 17 00:00:00 2001
From: "J. Miguel Farto" <migeruhito@gmail.com>
Date: Thu, 24 Sep 2015 23:28:31 +0200
Subject: [PATCH 5/7] themes branch compatibility

---
 sagenb/flask_version/base.py | 2 +-
 sagenb/notebook/template.py  | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/sagenb/flask_version/base.py b/sagenb/flask_version/base.py
index bf85e4ad0..d91dfaea7 100755
--- a/sagenb/flask_version/base.py
+++ b/sagenb/flask_version/base.py
@@ -1,7 +1,7 @@
 #!/usr/bin/env python
 import os, time, re
 from functools import partial
-from flask import Flask, Module, url_for, render_template, request, session, redirect, g, make_response, current_app
+from flask import Flask, Module, url_for, request, session, redirect, g, make_response, current_app, render_template
 from decorators import login_required, guest_or_login_required, with_lock
 from decorators import global_lock
 # Make flask use the old session foo from <=flask-0.9
diff --git a/sagenb/notebook/template.py b/sagenb/notebook/template.py
index 9e59b5284..667748976 100644
--- a/sagenb/notebook/template.py
+++ b/sagenb/notebook/template.py
@@ -95,7 +95,6 @@ def clean_name(name):
     """
     return ''.join([x if x.isalnum() else '_' for x in name])
 
-
 def template(filename, **user_context):
     """
     Returns HTML, CSS, etc., for a template file rendered in the given

From bbd238e23dcf9101aa474b50912c6f5877eccb40 Mon Sep 17 00:00:00 2001
From: J Miguel Farto <migeruhito@gmail.com>
Date: Wed, 18 Nov 2015 09:26:29 +0100
Subject: [PATCH 6/7] Main help page strings marked as safe

---
 sagenb/data/sage/html/docs.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sagenb/data/sage/html/docs.html b/sagenb/data/sage/html/docs.html
index d36fa2603..5e3722751 100644
--- a/sagenb/data/sage/html/docs.html
+++ b/sagenb/data/sage/html/docs.html
@@ -35,9 +35,9 @@ <h2>{{ gettext('How to use the Sage Notebook') }}</h2>
     <table class="help_window">
         
         {% for x, y in notebook_help %}
-        <tr><td class="help_window_sub", colspan="2">{{ x }}</td></tr>
+        <tr><td class="help_window_sub", colspan="2">{{ x | safe }}</td></tr>
         {% for z, w in y %}
-        <tr><td class="help_window_cmd">{{ z }}</td><td class="help_window_how">{{ w }}</td></tr>
+        <tr><td class="help_window_cmd">{{ z | safe }}</td><td class="help_window_how">{{ w | safe }}</td></tr>
         {% endfor %}
         {% endfor %}
     </table>

From c3d3c444dfc93c817a94c8e2733fd5ee817de975 Mon Sep 17 00:00:00 2001
From: J Miguel Farto <migeruhito@gmail.com>
Date: Wed, 2 Dec 2015 09:53:36 +0100
Subject: [PATCH 7/7] doctest fixes

---
 sagenb/notebook/cell.py      | 6 +++++-
 sagenb/notebook/challenge.py | 8 +++++---
 sagenb/notebook/notebook.py  | 6 +++++-
 sagenb/notebook/template.py  | 4 ++++
 sagenb/notebook/worksheet.py | 6 +++++-
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/sagenb/notebook/cell.py b/sagenb/notebook/cell.py
index aba5db739..e38af73b1 100755
--- a/sagenb/notebook/cell.py
+++ b/sagenb/notebook/cell.py
@@ -551,7 +551,11 @@ def html(self, wrap=None, div_wrap=True, do_print=False,
 
         EXAMPLES::
 
-            sage: nb = sagenb.notebook.notebook.Notebook(tmp_dir(ext='.sagenb'))
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: nb.user_manager().add_user('sage','sage','sage@sagemath.org',force=True)
             sage: W = nb.create_new_worksheet('Test', 'sage')
             sage: C = sagenb.notebook.cell.TextCell(0, '2+3', W)
diff --git a/sagenb/notebook/challenge.py b/sagenb/notebook/challenge.py
index a412e36a1..9d0e20919 100644
--- a/sagenb/notebook/challenge.py
+++ b/sagenb/notebook/challenge.py
@@ -448,10 +448,12 @@ def html(self, error_code = None, **kwargs):
 
         TESTS::
 
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: from sagenb.notebook.challenge import reCAPTCHAChallenge
-            sage: tmp = tmp_dir(ext='.sagenb')
-            sage: import sagenb.notebook.notebook as n
-            sage: nb = n.Notebook(tmp)
             sage: chal = reCAPTCHAChallenge(nb.conf(), remote_ip = 'localhost')
             sage: chal.html()
             u'...recaptcha...'
diff --git a/sagenb/notebook/notebook.py b/sagenb/notebook/notebook.py
index 922504a16..c2b64b96f 100644
--- a/sagenb/notebook/notebook.py
+++ b/sagenb/notebook/notebook.py
@@ -1323,7 +1323,11 @@ def html_worksheet_revision_list(self, username, worksheet):
 
         EXAMPLES::
 
-            sage: nb = sagenb.notebook.notebook.Notebook(tmp_dir(ext='.sagenb'))
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: nb.create_default_users('password')
             sage: W = nb.create_new_worksheet('Test', 'admin')
             sage: W.body()
diff --git a/sagenb/notebook/template.py b/sagenb/notebook/template.py
index 667748976..17c6385b4 100644
--- a/sagenb/notebook/template.py
+++ b/sagenb/notebook/template.py
@@ -114,6 +114,10 @@ def template(filename, **user_context):
 
     EXAMPLES::
 
+        sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+        sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+        sage: ctx = app.app_context()
+        sage: ctx.push()
         sage: from sagenb.notebook.template import template
         sage: s = template(os.path.join('html', 'yes_no.html')); type(s)
         <type 'unicode'>
diff --git a/sagenb/notebook/worksheet.py b/sagenb/notebook/worksheet.py
index 5cd2ca2b3..3518109d1 100644
--- a/sagenb/notebook/worksheet.py
+++ b/sagenb/notebook/worksheet.py
@@ -1431,7 +1431,11 @@ def html_ratings_info(self, username=None):
 
         EXAMPLES::
 
-            sage: nb = sagenb.notebook.notebook.Notebook(tmp_dir(ext='.sagenb'))
+            sage: from sagenb.flask_version import base # random output -- depends on warnings issued by other sage packages
+            sage: app = base.create_app(tmp_dir(ext='.sagenb'))
+            sage: ctx = app.app_context()
+            sage: ctx.push()
+            sage: nb = base.notebook
             sage: nb.create_default_users('password')
             sage: W = nb.create_new_worksheet('Publish Test', 'admin')
             sage: W.rate(0, 'this lacks content', 'riemann')